Former Scentre and Westfield CRO, Eamonn Cunningham tells risk managers exactly what they need to do step-by-step to implement a new way of working
So how do you go about moving risk management from operations to a strategic decision-making tool?
Well, it does mean, for you, taking a step backward before you go forward. You need to focus on three main areas:
1. You as the risk management practitioner in the organisation,
2. The Organisation and its people, at least the key people, and
3. Your current Risk Management system.
Easy does it
Let’s first look at the Risk Manager and how is your role and risk management system, is portrayed. Do the words used to describe you include, ’careful’, ’forever cautious’ and ’disciplined’.Those who are a little unkind will talk about Risk Managers as the people who always say no. If this view of you, as the Risk manager and the Risk Management Department is even partially accurate, it has got to change.
So take a hard look at yourself and how you interact with the people in your organisation. Do you truly know what they think of you, and what you stand for? If not, find out. Survey them, talk to them. Get them to open up.
Focus particularly on your personal (soft) skillset as ultimately this is where you are probably seeking to get the most valuable insights. Prepare carefully for these sessions and remember your audience. The conversation you have with the Legal guy will be different to the one with the CFO. Speak their language.
The outcome of this process is often a bit of a reality check for those who undertake it properly. The outcome of this will be the need for you to create your own personal action plan.
Some of the outcomes from the ‘surveys’ mentioned above lead nicely into the consideration of the second area: the organisation and its people.
Organisational mindset of risk and its management
That is, leaving aside, for the moment, the current level of influence of risk management on the organisation and its executives, what is their innate predisposition as regards risk? Focus in the first instance, on the influencers that you will rely on, the CEO, CFO, General Counsel, department heads and peers. Don’t forget Board members, particularly the Chair and members of the Risk Management Committee.
A lot of this can be gleaned from the surveys and interviews I mentioned earlier. So, as you build up this picture you can categorise people as between supporters, pragmatists, politicians and detractors. Know your audience!
From an organisational perspective, you obviously need a pretty good understanding of the business and the environment within which it operates. If you don’t have this intimate knowledge of your organisation, then fill this information void. You need to do so to be seen as credible.
The third element: the Risk Management System
You don’t deploy a risk management system, that just helps you in the popularity stakes or just gets you over the line from a compliance point of view. You do try, however, to implement a system that works for the business and at the same time, is appropriately calibrated so that both it, and you, will be successful.
It is important to stress here that you cannot introduce Strategic Risk Management unless you are building on a solid foundation.
I suggested earlier that you do some self-analysis on yourself and your department. Now I would also suggest that you undertake a form of analysis of the risk management system in use. If you are in the process of designing such a system or moving to the next stage - Strategic Risk management - then use the following comments to assist in developing something that will give it, and you, a better chance of success.
In today’s world it is all about relevance, nothing speaks louder than results, and for you, this means demonstrating the clear tangible benefits to be derived from what you offer the business. There are a few things that you need to be across, to assist you.
1. Documentation and Language
Risk Management is a specialised area. It, however, is full of jargon and three letter acronyms. Yes, what a wonderful way to show how knowledgeable and clever you are, that is of course if people actually understand what you are talking about. My message is to keep it simple, use plain language. Also, use words that your Organisation understands.
2. Know the business
Something I mentioned earlier. I actually believe it is counterproductive of you to attempt to engage with the key people in the business if you do not have sufficient detailed knowledge about the business and its fundamental drivers. In particular, here figuring not only what is going on in individual departments, but almost more importantly understanding how the activities of all departments mesh together, to form the business.
3. One step at a time
Often it is better to adopt a piecemeal evolutionary approach as opposed to an all-in now one. A word of caution here, if going piecemeal, display the entire roadmap up front to your audience.
4. You need help
You need supporters and assistance along this journey. Seek out those who will be your Risk Management Champions in their own departments. Only use consultants who have done it, that is walked it as opposed to just simply talked about it.
5. Be Vibrant
Constantly display copious amounts of passion. People have to see you advocate your position with conviction all the time.
So it more than a tool, it is really a system, a way of thinking that you are deploying. Choose the system, the approach that works for your company.
Take one year at a time
In year one you might simply work with the business to run the “risk ruler” over the emerging output of the strategic decision-making process.
In year two move further up the food chain, ideally, if possible, into the decision-making room. If you cannot get into the room, that year, make sure you influence the thinking of those in the room.
As each year goes by you need to entrench SRM further. Here are a few tips for success:
1. Take great care in choosing whom you partner within this process. People do need to think strategically in order to contribute to the discussion of Strategic Risks. A Harvard Business School Professor said that some executives cannot articulate the objective, scope, and advantage of their business in a simple statement. If they can’t, neither can anyone else.” So if you cannot describe your strategy, how can you have a focussed view on Strategic Risks? Therefore choose the right people,
2. The Black Hat Approach
Encourage executives to work with their own teams to develop strategic insights (and Risks for that matter) then stress test them by always having someone play the contrary view, the devil’s advocate or Black Hat for each initiative
3. Just like the approach to strategic planning, with strategic risk management, you need to regularly reinvent the ‘discovery’ process. If you simply stick each year to the process you applied successfully last year, your incremental gains will diminish. The influences on the company, in seeking to achieve its Strategic objectives, will change all the time. So your approach to capturing them must also change.
4. Have the leadership team engage in a strategic workshop to articulate and prioritise the key questions that the company will have to consider in the next three to five years
5. Ask the leaders of the business units to identify the most important questions that the senior management. What you are promoting here is insightful thinking
6. As a general rule, organisations that engage a broad group of internal and external stakeholders, in their strategic risk process, yield better results
7. Be as diverse as you can be in selecting the people to be involved in this process. Watch out for the ‘follow the leader’ syndrome or groupthink. Independent minds are what is needed here
8. Provide feedback to those involved in the process, to keep their interest level high
9. You need to tweak the process to suit t your organisational structure,
10. Make sure that, as you expand the number of people in this process, communication is clear,
11. Get the CEO to send a message to all concerned, that in identifying strategic risks, everything is on the table,
12. Finally, get people to think outside the current, so-called norms of existing geographies and industries. Given the current spate of disrupters out there, for example, UBER and Airbnb, everyone involved needs to look at this with a completely fresh approach.
7 steps to success
I have adapted a COSO thought paper on improving ERM as a quick reference guide for introducing SRM:
1. Support from the top is a necessity - This cannot be overstated. You will not be successful without this support
2. Build SRM using incremental steps - Take your time. Build it up over a few reporting periods
3. Focus initially on a small number of top strategic risks - Identify initiatives and associated risks that the company finds as particularly important
4. Leverage existing resources, particularly your champions - Lean on the people whom you know are generally onside with you in terms of Risk Management
5. Build on existing Risk Management (ERM) activities - Don’t start with a blank canvass
6. Embed SRM into the business fabric and culture of the organisation, it must be seen as part of the inner working of the business. Not some external tool, and finally,
7. Provide ongoing SRM updates and continuing education for directors and senior management. This must be seen by all, as a living, working, growing thing that is forever developing.